SaaS security checklist: 4 fail-safe steps to SaaS buying
Security & Compliance
- A SaaS security checklist is a comprehensive set of actions and considerations a SaaS buyer should go through before purchasing a new application.
- Assess your company’s security needs, develop a strong collaborative network with IT Security, include a security questionnaire in every SaaS buying process, and don’t forget about ongoing security sustainability.
- According to a Sophos study, 70% of organizations hosting in the public cloud experienced at least one security incident in 2020. As the world of SaaS continues to evolve, security threats will too, and therefore, security controls must evolve with them.
It can appear cut-and-dry on the surface, but there are layers and complexities to buying SaaS applications. Among them are internal priorities, specifications, stakeholders, budgets, legal, contracts, and last but certainly not least, security.
Since SaaS security isn’t something we can physically see like we do a SaaS solution's functionality, cost, and contracts, it is easy to overlook. That is until there is a cybersecurity threat that creates a domino effect of not-so-great and potentially costly repercussions within your organization.
No pressure, but according to a Hacker News survey, 52% of respondents said checking and maintaining SaaS security is in the hands of the SaaS owner, or in other words, your company.
It is so vital that SaaS buyers take a proactive approach with application security. That’s why we’ve created a four-step SaaS security checklist to keep in your buying toolbox.
1. Security needs and risk appetite
The first step in the SaaS security checklist is to assess your company’s security needs and security risk appetite.
If you’re lucky, your company’s IT team has defined SaaS policies and procedures. In that case, you’ll have information at your fingertips to review when needed, and there should be little to no gray area on what the security standards are.
But what if your company does not have those policies and procedures documented, and you’re unsure where to start? Then, IT’s involvement should begin at step one instead of step two.
There are some critical areas of security you’ll need to know. However, let me preface by saying that unless you’re a security professional who happens to be in a buying role, you are not expected to be the expert on any one of these things. As the SaaS buyer, though, you do need to be aware of them and have a general understanding of what they are.
- Asset management: Where does your company stand on SaaS user authentication? In other words, who needs to have access and to what?
- Data security: What type of data will be stored or shared with the SaaS product, and what is the company’s stance on protecting that data? What incident management procedures should be in place if a data breach occurs? Similar considerations apply to cloud security.
- Network security: Where does your company stand on firewalls, VPNs, and other network security controls?
- Scalability: What are the vertical and horizontal scaling expectations of your company for this SaaS product?
- Reliability: What kind of disaster recovery (DR) plan does your IT Security team require for SaaS products?
The great thing about step one is that it isn’t something you’ll have to do every time you buy a SaaS product. Instead, you might want to set up a schedule with your internal security team to review these needs regularly, perhaps quarterly or yearly.
2. IT Security collaboration
If you’re solid on step one, then you’ve likely already started a collaboration with IT Security. But if you haven’t and have already gotten two of your five SaaS buying “yeses” (department head and finance), now’s the time to get your third “yes” from security.
In a former role as a SaaS buyer, I found that a close relationship with all areas of IT was an integral part of the company’s SaaS success. The relationships meant that I knew who to call with security questions and ensured they were in the know and involved in any potential SaaS buying projects. When I led a request for proposal (RFP) or request for bid (RFQ) process, someone from the Security area was always on the stakeholder committee.
Security collaboration is important because it gives an additional layer of security protection for SaaS buying, but it also gives your tech teams a chance to plan resources appropriately for any SaaS implementation and deployment requirements.
And, perhaps just as compelling to us buyers, your IT teams will get so familiar with your involvement that if they are made aware of a SaaS application need before you, they’ll return the favor and make sure you’re a part of the process early on. It’s a win-win.
3. Risk and security assessment questionnaire
Step three of the SaaS security checklist is to get a risk and security questionnaire filled out by each potential SaaS provider. Of course, not every SaaS project will be the same. In fact, few will be. But one thing that should be steadfast — no matter the product or the buying process — is the company’s risk and security assessment questionnaire.
The questionnaire is something you’ll work with Security to create and will be a (likely extensive) list of cybersecurity-related questions for each potential SaaS provider. The questionnaire may need to be modified from product to product, depending on the intended use and the data that it will store.
A SaaS supplier may not have security policies that meet every one of your internal security requirements, but this questionnaire allows your company to review its security best practices at a higher level.
Also, remember that the types of questions you need to ask may vary depending on the type of SaaS application you’re purchasing. In general, the SaaS security questionnaire can be a one-size-fits-all approach with a few potential tweaks. The supplier may include answers to some of these questions in their service level agreement (SLA), but it is perfectly OK to include them here, too.
So, what types of questions should be on your SaaS risk and cybersecurity questionnaire? We’ll touch on a few of the more common categories.
Asset management gets into the details of access controls within the application. For example, who has access to the system, how is the access controlled, and what method is used to verify credentials? These are essential asset management considerations.
Here are some common questions related to cloud application asset management you might include on your security questionnaire:
- Who will be able to access the company’s production environment and data?
- How is their access to the production environment and data controlled and monitored?
- Will there be any third parties with access to the system or integrations?
- Describe authentication (i.e., Active Directory, ADFS, Shibboleth, SAML, etc.)
- Does the product support two-factor authentication?
- How are accounts provisioned?
- How are user roles managed?
There is, at minimum, a one-way transfer of data in most SaaS products, but typically much more than that. Among that data may be end-user personally identifiable information (PII), financial data like bank account information, HIPAA information, and other types of sensitive data depending on the nature of your company.
The following are some data protection questions you may want to include on the security questionnaire:
- How is data protected? Describe any controls for data integrity.
- Do the company’s intellectual property rights and trade secret information remain intact?
- Describe data rights if the company removes data or if the supplier relationship ceases.
- Are data feeds or transfers manual or automated?
- Describe any APIs needed.
- What measures does the supplier enforce to prevent data leaks?
When it comes to external security threats, network security controls are the first line of defense. Some common network-related questions to ask suppliers are:
- Does the company use firewalls? If so, please describe. If not, please explain.
- Does the company have written network guidelines?
- Does the company have network monitoring and alerting in place?
- Is any part of the company's network management outsourced?
- Is VPN required for access to the company's network?
Scalability is important because even if the company has no known intention of expanding its use of the SaaS product, the need may arise in the future.
Here are a couple of questions related to scalability you may ask potential suppliers:
- Is the proposed product scalable?
- What, if any, are the limits to the scalability of the product?
SaaS buying companies care about downtime for obvious reasons. If we’re paying for a product, we want it to be reliable. But more than that, it is important to know what type of disaster recovery plans a SaaS supplier has in place to avoid data loss. Consider these reliability questions for your questionnaire:
- Does the supplier have a disaster recovery plan in place? If so, attach it with the response.
- Are there any exclusions in the disaster recovery plan?
- Does the supplier have a failover site with the same security standards?
- Describe incident response times.
- What are the guarantees offered during recovery?
- Does the supplier have a continuity plan? If so, attach it with the response.
- Does the supplier have any security certifications (i.e., ISO 27001, SOC 1, and SOC 2)?
4. Security sustainability plan
If you’ve completed steps one through three of the SaaS security checklist, you’ve been pretty thorough, but don’t hang up your security hat quite yet. Regardless of what your company’s security plan is, it needs to be sustainable. This means periodic updates of the security and risk questionnaire. I found that coordinating this with contract renewal helped me not to forget it. Figure out a time that works for you and your SaaS supplier.
Here are some ways to keep a sustainable security plan:
- Work with SaaS suppliers to update the security and risk questionnaire at every contract renewal.
- Ask for proof of new security compliance certifications and certification renewals.
- Ask for proof of any security auditing conducted on the supplier and their products.
SaaS security checklist: Is security the lifeblood of SaaS success?
At one time, on-premise applications where we managed security exclusively within our organizations were all we knew. By the late 1990s, SaaS entered the scene and created a more digitized world than most of us ever imagined.
SaaS and now SaaS cloud services have changed the game by allowing us the same and, in many cases, better functionality without the need for dedicated servers, internal security, and labor resources to install the physical software on user machines. This type of technology has given our organizations more efficiency, more robust compliance, better reporting capabilities, and more savings, all in real time.
SaaS products continue to expand, which means security issues will continue to change, and security measures of control must change with them. As SaaS buyers, our ability to flexibly adapt to the ever-changing security landscape is imperative to our company’s success. The SaaS security checklist is a fail-safe strategy to help ensure that success.